Black Box ET0010A User Manual
Using Enhanced Security Features
290
EncrypTight User Guide
In order to use OCSP, you must enable it on each EncrypTight component.
ETEPs can read the URL from the certificate itself, but you can specify a URL to use if needed.
The EncrypTight software and the ETKMSs provide additional options that allow you to specify the
default action if no OCSP responder can be located or if the URL cannot be contacted. When OCSP is
enabled, EncrypTight and the ETKMS try to check the revocation status using OCSP.
default action if no OCSP responder can be located or if the URL cannot be contacted. When OCSP is
enabled, EncrypTight and the ETKMS try to check the revocation status using OCSP.
●
If no default OCSP responder is defined, then EncrypTight and the ETKMS check the certificate to
determine the URL to use to contact an OCSP responder.
determine the URL to use to contact an OCSP responder.
●
If there is no OCSP URL defined in the certificate, you can specify that EncrypTight and the ETKMS
check the certificate for the URL of a CRL Distribution Point as a fallback.
check the certificate for the URL of a CRL Distribution Point as a fallback.
●
If the CRL Distribution Point URL is not present or if the URL cannot be reached, the validation
fails. Unlike using CRLs only, there is no option to ignore revocation check failures in this scenario.
fails. Unlike using CRLs only, there is no option to ignore revocation check failures in this scenario.
By default, the system assumes that OCSP responses are signed by the issuer of the certificate whose
status is being checked. You can override this and specify an alternative signer by entering the subject
name of the signer’s certificate.
status is being checked. You can override this and specify an alternative signer by entering the subject
name of the signer’s certificate.
In addition, in order to verify the response from the OCSP responder, you need to install the certificate
from the OCSP responder. For more information about installing certificates, see
from the OCSP responder. For more information about installing certificates, see
To set up OCSP in EncrypTight:
1 In the EncrypTight software, click Edit > Preferences.
2 In the tree, expand the ETEMS item and click Communications (see
1 In the EncrypTight software, click Edit > Preferences.
2 In the tree, expand the ETEMS item and click Communications (see
).
3 Click Enable Online Certificate Status Protocol (OCSP).
4 Configure other options as needed (see
4 Configure other options as needed (see
).
5 Click OK.
Table 79
EncrypTight OCSP Options
Options
Description
Enable Online Certificate
Status Protocol (OCSP)
Enables and disables the use of OCSP in the EncrypTight software. By
default, this is disabled.
OCSP Responder
Certificate Distinguished
Name
Specifies the subject name of the certificate for the OCSP responder.
Verify OCSP Responder
Specifies that messages from the OCSP responder should be
authenticated using the installed certificate. To use this option, you must
install a certificate for the OCSP responder.
Ignore Failure to Respond
Specifies that the lack of a response from the OCSP responder should
be ignored.
Revert to CRL on OCSP
Responder Failure
Specifies that if the OCSP responder does not reply or cannot be
reached, EncrypTight should read the certificate to determine the
location of the CRL to use to validate the certificate. Note that
authentication fails when OCSP is enabled and a CRL cannot be
accessed as a fallback.
Check OCSP Responder
Certificate Chain
Specifies that every certificate in the certificate chain of the OCSP
responder should be checked.
OCSP URL
Specifies the URL to use for OCSP checking. This option overrides the
use of any OCSP URL that might be indicated in certificates.